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METHOD AND DEVICE FOR MONITORING A DISTRIBUTED SYSTEM 

Background Inf ormat ion Field of the Invention 

The present invention relates to a method and a device for 
monitoring a distributed system made up of several users that 
are connected by a bus system-? — ao well ao to a corrcoponding 
5 buo — oyotcm and a corresponding distributed oyotcm according to 
the definition of the opocico in the independent claimo . 

Background Inf ormat ion 

Today's approach of a large numbcr A pplication of electronic 
control units in all technical fields, such as in industrial 

10 applications as, for instance, in the machine tool field or in 
automation, as well as in the vehicle field, and the 
networking of these control units, particularly in safety- 
relevant applications such as braking functions in the motor 
vehicle, ouch ao e . g . , ABS or ESP, steering functions or even 

15 transmission shifting functions as well as engine control 

functions, bringo up raise the problem of the safe operation of 
such a distributed system. 

In this context, especially in the motor vehicle field, mixed 
mechanical/electronic ( "mechtronic M ) systems are used these 

20 days. Today's mechatronic systems monitor the function of the 
system automatically, in that, for instance, redundancy is 
built in. In this context, the usual systems include, for each 
control unit or subsystem, two processors that compute the 
functions and then compare the results. If there is a 

25 difference in the results, a fault muot is deemed to have 
appeared, and measures relevant to safety are able to be 
initiated. In this context, the second processor is often 
designed to be more low-powered. In such a case, this second 
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processor rechecks only selected sub-ranges, and compares them 
to the actual functional computer, as is ghow n descr ibed , for 
example, in published German patent document DE 195 00 188 A^r. 

Transmitted to a distributed system means that each control 
5 unit of the subsystem is in itself constructed so that it is 
able to automaticall y to detect a fault, and then initiates 
fault -handling measures, that is, each subsystem is itself 
constructed redundantly for ascertaining the results. To 
produce the redundancy in the self -monitoring control units, 
10 these have to be constructed in a very costly manner, and 

components have to be integrated which would not be strictly 
necessary for the actual functioning of the control unit. 

Now, — i^t — io thc lt is an object of the present invention to 
15 reduce this monitoring expenditure for each individual 
subsystem. 

Summary of the — I nvent i on Sum ma ry 

2 0 The ob j cct — io attained by present invention provides 

transferring the essential monitoring functionality to the bus 
system itself. This makes possible the monitoring of 
distributed systems over the entire bus system, whereby, in an 
advantageous manner, the subsystems and control units or users 
25 may be constructed with reference to their own function, and 
additional monitoring expenditure may be largely avoided in 
this user construction. 

To do this, the present invention otarto — f rom provi de s a method 

3 0 and a device for monitoring a distributed system that is made 

up of several users which are connected by a bus system. In an 
expedient way, at least a number of the users is then provided 
as being monitoring users, and the process data of at least 
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one monitored user are stored in data areas of memory units of 
the bus system to which the monitoring users have access, 
these process data being evaluated by the monitoring users. 

5 Thus, in an advantageous manner, in a system having 

distributed intelligence, not every subsystem has to discover 
all relevant faults in itself and initiate necessary 
countermeasures, because this would bring up increased costs, 
and the poooibilitico f ull capacity present in the bus system 

10 would not be utilized. Thus, according to the present 

invention, one is able to do without parts of the monitoring 
devices by having portions of the monitoring taken over by 
other users, especially by the section of the bus system^ 
i.e. , the bus coupling- in unit, that is allocated individually 

15 to each user. 

To do this, in an expedient manner, each of the data areas is 
uniquely assigned to one monitored user. 

20 In this context, it is advantageous if the monitored user 

itself has no access to the data area assigned to it. In this 
context, on the one hand, the data areas may be distributed 
over the at least two memory units, so that virtual data 
areas, so to speak, are created and/or at least a part of the 

25 data areas is providablc provided simultaneously in each memory 
unit, as a function of the access potential of the individual 
users . 

For the monitoring itself, each monitoring user advantageously 
30 generates outcome data as a function of the evaluation of the 
process data of the monitored user. These outcome data for 
monitoring are generated by all monitoring users with the 
exception of the at least one monitored user itself, and come 
about from the evaluation of the process data, in particular 
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in that the self -ascertained data for the processes are 
compared to those of the user that is to be monitored. 
Expediently, fault information and/or measures information 
will then be included in these outcome data. Therewith, on the 
5 one hand, the user to be monitored may be notified from an 
individual point of view of each monitoring user whether a 
fault is present, and which measures the respective monitoring 
user would initiate, based on the error present. 

10 This advantageously takes place in that the outcome data are 
transmitted via the bus system to a communications controller 
of the bus system that is allocated to the monitored user. The 
evaluation of the outcome data may thus, for one thing, be 
carried out by the communications controller of the monitored 

15 user itself. If the outcome data are stored, in one 

advantageous — apecif ic example embodiment, in the data areas, 
especially the bus coupling-in unit, an evaluation may also be 
made by other users or other communications controllers beside 
the one of the monitored user. 

20 

Because of the method, device, bus system and distributed 
system according to the present invention, fewer measures that 
are hacvy with costa cost - intensive may be used in the overall 
system for monitoring individual subassemblies or subsystems 

25 of the overall system, so that, in particular, the number of 
hardware components in the subsystems, and thereby the costs 
for these, may be lowered. Furthermore, without a greatly 
increased expenditure, a valuat ion select ion may be made by 
voting on using the monitoring data, especially an M of N N of M 

30 selection with respect to the outcome data, where N and M are 
natural numbers and M is greater than 2, ao well — ars and N being 
greater than M/2. 
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Additional advantaged and advantagcouo embodiment a arc 
revealed by the specification ao well ao the featureo of the 
claimo . 

5 Brief Dcocription of the Drawings 

The prcoent — invention io explained in greater detail — in the 
light of the — f igurco — ahown in the drawingo . — The — f igurco — ohow ! 

10 Brief Description of The Drawings 

Figure 1 shows a distributed system having several users, a 
user being made up of a corresponding subsystem and a bus 
coupling-in unit. 

15 

Figure 2 shows auch a detailed illustration of a user and the 
way it ties in with the communications connection-? — in detailed 
illuatration . 

2 0 Figure 3 shows the bus coupling-in unit with the data areas 
according to the present invention. 

Figure 4 again shows a user in detail, this time with respect 
to a redundantly designed bus system. 

25 

Dcocription of the Exemplary Embodiment o Detailed Description 

Figure 1 shows a distributed system 100 having four users 101 
to 104. In this context, each user is made up of a 

30 corresponding subsystem 1 to 4 and a bus coupling-in unit 106 
to 109. These users 101 to 104 are connected to one another 
via a communications connection 105. According to the present 
invention, in this distributed system, the monitoring users, 
especially their bus coupling-in units, now also undertake 

35 parts of the monitoring of the at least one monitored user, 

here , — for example, user 101 is monitored by users 102 to 104. 
At the same time, for instance, user 102 is monitored by users 
101, 103 and 104, etc., so that each user is monitored with 
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respect to each subsystem by at least two additional users of 
the distributed system. 

If each user is monitored by at least three further users, a 
5 voting function, that is, a selection function, is also 

possible with respect to the judgment of the monitoring users 
with reference to the monitored user. For this, the monitoring 
users may transmit their estimation ("outcome data") , that is, 
the result of the monitoring concerning the functional 

10 condition of the at least one monitored user ± via the 
communications connection to, let uo aa y e . g . , the 
communications controller of the monitored user. These outcome 
data are then evaluated by the communications controller, 
whereupon the latter takes appropriate measures, if necessary. 

15 In this evaluation, a voting may then take place in such a way 
that, for example, in the case of three monitoring users, a 2 
of 3 valuation may take place first for error detection and 
also for the initiation of measures. In this context, that 
user is able to be monitored by all other users appertaining 

20 teof the distributed system, or by only a part port ion of the 
users, these users then being provided as monitoring users. 

For the increase of security, especially in the case of a 
faulty subsystem, the subsystem itself, especially the 
computing unit of the subsystem, is not able to access the 
25 monitoring results, that is, the outcome data of the other 
users, so that the monitoring takes place independently on^ 
and via ± the bus system. 

The distributed system according to Figure 1 is consequently 
conceived in such a way that that parts of the functional 
3 0 monitoring may be processed outside the subsystem, in other 
words, in the other users or in the bus coupling-in unit. 
Starting — from a ln the context of monitoring of subsystem 1, 
subsystem 1 files the process data on the data bus in the bus 
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system. In thi^ context, the process data are filed in data 
areas of memory units of the bus system in the bus coupling-in 
unit, as io otill to be explained in further detail in 
connection with the f ol lowing f urther drawings . Users 101 102 to 
5 104, or rather subsystems 2 to 4^ are able to access these 
process data in the data areas of memory units of the bus 
system and evaluate them, so that the monitoring is able to be 
computcd achieved from these data. Each monitoring subsystem 
files its estimation, in the form of outcome data, on the 

10 condition of subsystem 1, that is, the monitored subsystem, 
again on the data bus, that is, the bus system, in special 
areas. These outcome data areas are assigned to the 
communications controller or the bus coupling-in unit or to an 
additional device that is especially provided therein, and are 

15 able to be evaluated by it. 

These outcome data, on the one hand, include error data, that 
is, the estimation of the respective subsystem as to whether 
the monitored subsystem has a fault function or not . On the 
other hand, this fault information may be evaluated in the 

20 form of an identification character in such a way that it may 
be positively stated in which process data, and thus at which 
functionality, an error was detected. Besides this fault 
information, which thus first permits a yes/no decision on the 
fault or is able to designate exactly the fault in an extended 

25 form (or the process or functionality it is based on) , there 
may further be provided measures information in the outcome 
data. This means that, as a function of, for example, the type 
of fault or the type of process data at which the fault has 
appeared, or the type of process or functionality at which the 

3 0 fault was first observed, fault measures are able to be 
initiated in a differentiated manner. Such measures may 
consist in switching off a subsystem, the transition of a 
subsystem into operation under emergency conditions, or even 
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normal continued operation at a low fault priority. In the 
case of a transition into operation under emergency 
conditions, in this context, a predefined program may be run, 
fixed values may be assumed^ or a restricted functionality may 
5 be provided. 

Consequently, in a simple case, voting may take place, 
particularl y ! . e . , an N of M selection, — in thio caac e.g. , a 
2 of 3 selection^ having a fixedly predefined fault reaction 
or even in differentiated faahion reaction as a function of the 
10 type of fault, as described, and a special measure may be 

initiated, the allocation of measure to type of fault being 
able to take place, for instance, via a firmly predefined 
allocation table or other selection criteria. 

In order, for instance, in the case of a faulty processor 
15 and— a thus a_faulty computer unit of subsystem 1, to avoid 

that — it automat i cal ly endanger o endanger ing the evaluation of 
the data because of its own fault iness, the computer unit of 
subsystem 1, that is, of the monitored system, should not have 
any possibility of accessing the special data areas with 
2 0 respect to the outcome data in the memory units of the bus 
system that are allocated to this subsystem 1. 

Figure 2 now shows in detail such a user, which is coupled 
into communications connection 201. The coupling into this 
communications connection 201 takes place via a bus coupling- 

25 in unit 202 which is made up of a transceiver 203, a 

communications controller 2 04_^ and the memory unit of a 
monitoring register 205. The subsystem is connected to this 
bus coupling-in unit via a computer unit 206, which represents 
the control unit or computer unit, the \iC of the subsystem. 

30 This subsystem includes input data delivered by sensors 211 
via a sensor signal .adaptation unit 212, such sensor data 
being also able to be delivered to the computer unit via the 
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communications , connection and the bus coupling-in unit. This 
applies, for example, to intelligent sensor systems which, on 
their part, are connected to the communications connection. 

Starting from these input data, output signals are generated 
5 by computer unit 206 and firot of all a power unit 209 is 

activated which, on its part, in turn operates actuators 210. 
In similar fashion, additional signal outputs are optionally 
possible via a signal adaptation unit 208. 

The monitoring register or bus coupling-in unit 202 is in 
direct connection to a fault unit 207. Thereby, the bus 
coupling-in unit, especially communications controller 204, 
may emit signals starting from the data in the data areas of 
monitoring register 205, for instance, to a reset unit, a 
voltage regulator, an oscillator and/or a watchdog , for 
example . 

In user 2 00 according to Figure 2, made up exactly of the 
corresponding subsystem and the bus coupling-in unit, the 
monitoring data, that is, on the one hand, the process data of 
the monitored user, and, on the other hand, the outcome data 
of the other users, to the extent that it is monitored itself, 
find their way directly from communications controller 204 
into the monitoring register, that is, the data areas of 
memory unit 205. In these data areas a weighting may take 
place just, for example, by voting, as to which measures are 
to be initiated. 

If subsystems 2 to 4, or rather users 102 to 104^ agree that 
uocr subsystem 1 is f ul f i 1 1 i ng per forming its function in a 
faulty manner, or if such an estimation is revealed, for 
instance, from a corresponding voting, ju s t , — for example, from 
30 a 2 of 3 selection, then, for instance, subsystem 1 may be 
reset, that is, set back, shut off completely^ or 7 — &en? 
inotancc , have power unit 2 09 deactivated , for example . Such a 
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fault reaction, as was described above, may also be 

implemented by the bus coupling- in unit while circumventing 

computer unit 206, optionally by direct activation of power 

unit 209 or signal adaptation unit 208, as indicated by the 
5 dashed arrows in Fig, 2 . 

If, jr** among several subsystems or users, only one user is of 
the opinion that subsystem 1 has a fault, it is conceivable 
that, instead of in the monitored subsystem, a fault is in 
this monitoring subsystem which has detected the error. Since, 

10 as was described in connection with Figure 1, each subsystem 

of the distributed system is able to be tested crooowioc using 
this method, this subsystem copccially may now be examined for 
faults. Thus the process data of this subsystem are then 
evaluated, and i . e . , the subsystem that has mistakenly detected 

15 faults is tested on its part. This consequently prevents a 
faulty switching off. What — io aloo prevented io ln addition, 
insufficient or faulty incorrect fault reactions and measures 
are prevented . 

Figure 3 again shows , as an example, a bus coupling -in unit 
20 300 having a transceiver 301, a communications controller 302 
as well as the a memory unit, that is, monitoring register 303. 
This monitoring register is here divided into four data areas, 
for example, Tl, T2 , T3 and T4j_ corresponding to the number of 
monitored users or users to be monitored. These data areas Tl 
25 to T4 may then again be divided on their part, so that, on the 
one hand, the process data of the corresponding user may be 
input, and, on the other hand, the corresponding outcome data 
may be allocated. These data areas may be provided to be 
identical in each bus coupling-in unit, corresponding to the 
3 0 number of monitored and monitoring users any other 

combinations being possible, conceivably and according to the 
present invent ion . 
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Consequently , gluring the monitoring of user Tl, the process 
data of this user are input in Tl . The monitoring users now 
evaluate these process data and set up outcome data from this 
evaluation. For the input of the outcome data^ there are now 
5 various possibilities. For one thing, all outcome data of the 
individual users may be input into the data area of the 
monitored user, whereby, for example, by using an 
identification character, an allocation of the data to the 
respective monitoring user is made possible. The 
10 communications controller now undertakes a valuation of these 
outcome data, by comparison or voting, and initiates an 
appropriate fault reaction. 

For another thing ln addition to the above example , the 
corresponding data may be input to the data area allocated to 

15 the respective user, so that the respective process data of 

the corresponding user are input and special areas PE2 to PE4 
are allocated by Tl to these process data in PE1, into which 
the respective outcome juot of user 2, 3 or 4 are input, so 
that, by using communications controller 302, via thio 

20 optional line 304, a comparison and a voting may be carried 

out, as well as the corresponding corrective measures . In the 
first example case, the number of data areas corresponds to 
the number of the monitored users, so that one data area is 
clearly allocated to each monitored user. In the second 

2 5 example case, the number of data areas corresponds to the sum 
of the number of the monitoring and the monitored users, and, 
as was already described, in this context, an intersection of 
sets up to a complete agreement of the number of monitored and 
monitoring users is possible, so that in the extreme case, 

30 each user is monitored by all the other users. 

Now, — Figure 4 shows a redundant system having communications 
connections 401 and 402 ae for user 400. In this context, two 
bus coupling- in units 4-0-3- 4 0 5 and 404 are now provided, of 
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which each is goupled in using a communications connection. 
Here, too, the bus coupling-in units include a transceiver 
4 05 403 or 408, a communications controller 406 or rather 409, 
as well as a monitoring register, memory unit 407 or 410. 
5 Here, too, at least one fault unit 411 is provided, which is 
operated by the memory unit and bus coupling-in unit 404. 

In this context, the oamc fault unit 411 is also able to be 
operated by the other bus coupling-in unit 4 03 405 in the same 
way, or a second fault unit is provided, for redundancy 

10 reasons, i.e. one fault unit per bus coupling-in unit. Both 

bus coupling-in units are here also connected to computer unit 
417, which, in turn, receives input signals from sensors 415 
via a sensor signal adaptation unit 416. In the same way, 
computer unit 417 here forms output signals to a power unit 

15 413 or a signal adaptation unit 412. Power unit 3-3r4 -413 here 
also controls actuators 414. 

Using such a redundant system makco pooQiblc a facilitates 
scalability with respect to the fault security by allocating 
the data areas in memory units 407 and 410. Thus, the data 

2 0 areas may be distributed, for example, over the two memory 

units, or they may be provided only partially distributed and 
partially equal. Thus it is possible to provide some data 
areas in both memory units 407 and 410, and other data areas 
in each case only in one memory unit. This brings about a 

25 scalable redundancy, using which the system may react very 
flexibly to security-relevant requirements of the system. 
Thus, at least a part of the data areas may at least-? — firot of 
all , be provided in each bus coupling-in unit of the 
distributed system, but also in each bus coupling-in unit of 

30 this redundant distributed system. This also copccially 
depends on the number of the monitored and/or monitoring 
users . 
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Thereby one obtaino ln this manner, a very flexible and yet 
still simple form of fault monitoring in a distributed system 
is achieved. 
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Abstract , ABSTRACT 

A methodf and 'device and bua oyotcm for monitoring fefeea 
distributed system made up of a plurality of users that are 
connected by one bus system are provided , in which distributed 
5 system at least a number of the users boing are provided as 
monitoring users-? — a^d . The process data of at least one 
monitored user boing are filed in data areas of memory units of 
the bus system, to which the monitoring users have access, and 
the process data bcing are evaluated by the monitoring users . 

10 (Figure 2) 
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